CVE-2026-21858 — CRITICAL (CVSS 10.0) AI Security Vulnerability

CISO Take

CVE-2026-21858 is a CVSS 10.0 unauthenticated path traversal in n8n (versions 1.65.0–1.120.x) that lets any internet attacker read—and likely write—arbitrary files on your server through public form-based workflow endpoints. If you run n8n to orchestrate AI agents, your LLM API keys (OpenAI, Anthropic, etc.), agent configurations, and every secret on that host are fully exposed. Patch to 1.121.0 immediately; if you cannot, take n8n offline and rotate every credential the host could access.

Risk Assessment

Maximum severity (CVSS 10.0): network-accessible, zero authentication, zero user interaction, scope change to host OS. Exploitability is trivial—form endpoints are public by design and path traversal requires no AI/ML knowledge. For AI-integrated deployments, the blast radius extends well beyond n8n itself: LLM API keys, vector database credentials, RAG connection strings, and agent system prompts embedded in environment files or config directories are all at risk. A public third-party PoC and exploit write-up (Cyera) exist, meaning active exploitation is likely imminent if not already occurring. No CISA KEV listing yet, but expect one shortly given the exploit availability and CVSS score.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
n8n	npm	—	No patch
187.3K OpenSSF 6.1 16 dependents Pushed today 40% patched ~3d to patch Full package profile →

Do you use n8n? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

5.7%

chance of exploitation in 30 days

Higher than 90% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A None

Recommended Action

6 steps

PATCH NOW

Upgrade to n8n 1.121.0—only complete fix. No workaround fully mitigates without losing form workflow functionality.
ISOLATE

If patching is blocked, immediately restrict network access to n8n (firewall/WAF) or disable form-triggered workflows at the application level.
ASSUME BREACH—ROTATE ALL CREDENTIALS: Treat every secret on the n8n host as compromised—rotate LLM API keys (OpenAI, Anthropic, etc.), database passwords, webhook tokens, cloud IAM credentials, and n8n encryption keys.
HUNT FOR EXPLOITATION

Search access logs for form endpoint requests containing path traversal patterns ('../', '%2e%2e', '..%2f') or returning anomalously large response bodies. Correlate with unusual outbound connections from the n8n host.
SCAN EXPOSURE

Use asset inventory or Shodan to enumerate internet-facing n8n instances across your estate—shadow IT deployments are a likely blind spot.
POST-PATCH HARDENING: Enable authentication on all n8n form triggers, run n8n as a least-privilege user, and ensure secrets are injected at runtime (vault) rather than stored in files accessible by the process.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Auth Bypass Agent Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to maintain the AI system

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-21858?

CVE-2026-21858 is a CVSS 10.0 unauthenticated path traversal in n8n (versions 1.65.0–1.120.x) that lets any internet attacker read—and likely write—arbitrary files on your server through public form-based workflow endpoints. If you run n8n to orchestrate AI agents, your LLM API keys (OpenAI, Anthropic, etc.), agent configurations, and every secret on that host are fully exposed. Patch to 1.121.0 immediately; if you cannot, take n8n offline and rotate every credential the host could access.

Is CVE-2026-21858 actively exploited?

Yes, CVE-2026-21858 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2026-21858?

1. PATCH NOW: Upgrade to n8n 1.121.0—only complete fix. No workaround fully mitigates without losing form workflow functionality. 2. ISOLATE: If patching is blocked, immediately restrict network access to n8n (firewall/WAF) or disable form-triggered workflows at the application level. 3. ASSUME BREACH—ROTATE ALL CREDENTIALS: Treat every secret on the n8n host as compromised—rotate LLM API keys (OpenAI, Anthropic, etc.), database passwords, webhook tokens, cloud IAM credentials, and n8n encryption keys. 4. HUNT FOR EXPLOITATION: Search access logs for form endpoint requests containing path traversal patterns ('../', '%2e%2e', '..%2f') or returning anomalously large response bodies. Correlate with unusual outbound connections from the n8n host. 5. SCAN EXPOSURE: Use asset inventory or Shodan to enumerate internet-facing n8n instances across your estate—shadow IT deployments are a likely blind spot. 6. POST-PATCH HARDENING: Enable authentication on all n8n form triggers, run n8n as a least-privilege user, and ensure secrets are injected at runtime (vault) rather than stored in files accessible by the process.

What systems are affected by CVE-2026-21858?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, workflow automation, multi-tool AI agents.

What is the CVSS score for CVE-2026-21858?

CVE-2026-21858 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 5.69%.

Technical Details

NVD Description

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

Exploitation Scenario

An attacker scans for internet-facing n8n instances using Shodan (trivial—n8n exposes identifiable HTTP headers). They identify a public form-based workflow endpoint requiring zero authentication. By submitting a crafted form payload embedding path traversal sequences (e.g., '../../../../opt/n8n/.env' or '../../../../proc/1/environ'), the server returns the n8n environment file containing OPENAI_API_KEY, ANTHROPIC_API_KEY, N8N_ENCRYPTION_KEY, and database connection URLs. With stolen LLM API keys, the attacker hijacks inference capacity for their own operations (cost fraud, data exfiltration via LLM). With database credentials, they pivot to the vector/RAG database and exfiltrate the organization's proprietary knowledge base. The write primitive implied by I:H further allows injection of malicious nodes into workflow definitions—creating a persistent backdoor that executes on every automation run, completely transparent to operators.